ISMS documentation for ISO 27001 — what is mandatory and what is not

There is a widespread myth that ISO 27001 requires hundreds of pages of documentation. It does not. It requires the right documentation — documents that prove the ISMS exists, functions, and is continuously improving. Auditors do not count pages; they verify that documents reflect the actual state of the organisation and that staff applying the controls are aware of their content.

Mandatory documentation under the standard includes: the ISMS scope statement, information security policy, security objectives, risk assessment methodology, risk register, Statement of Applicability (SoA), risk treatment plan, records of competence and training, monitoring records, internal audit results, management review findings, and the corrective action register.

What is not mandatory but many organisations write unnecessarily: detailed IT procedures for every piece of software in use, individual policies for all 93 Annex A controls, and records that nobody uses and nobody updates. An auditor who finds a documented procedure that is not being followed is a worse scenario than a missing procedure — a gap between documentation and practice is a major non-conformity.

A practical principle: document what you actually do, not what you ideally should do. If your password policy states 'every 90 days' but no one actually changes passwords every 90 days — either update the policy to reflect reality or implement enforcement that makes it real.

The ISO Toolbox we use as part of our vCISO service contains templates for all mandatory documents, adapted to the organisation's type and size. These are not generic templates downloaded from the internet — they are tailored to specific context: industry, team size, type of data processed.

If you are unclear about what you have and what is missing in your documentation, start with a gap analysis. See the vCISO and ISO 27001 service page and book a call for a free assessment of your starting point.